Epale ya vamos con la novena entrega de Conociendo sobre Malware, esta vez con un aporte para nuestros conocimientos, y poder leer este excelente libro que es Malware Analyst’s Cookbook, en el cual viene con consejos prácticos que los autores han previsto para la comprensión y la lucha contra el malware. Algo que resaltar que este libro no cuenta con un engorroso por así decirlo de todas las técnicas de malware análisis, pero si tiene herramientas y enfoques bastante prácticos como también todo lo relacionado a comandos, y herramientas ya ustedes sacaran su propio resumen o atribuciones de este libro, este es un libro que cuando ando con tiempo o ando aburrido en mis cosas me pongo a leer en el Kindle, la aspiración es llegar a trabajar como analista de malware ya que me apasiona bastante este mundo.
Para saber mas del libro se puede acceder a su pagina oficial www.malwarecookbook.com en la cual realizaron la liberación de las herramientas en code google Source Malware Cookbook y no puede falta el
PDF Malware CookBook descarga directa.
Un listado de las herramientas, que vienen extraído de la pagina oficial.
* torwget.py: Multi-platform TOR-enabled URL
*** wwwhoney.tgz**: CGI scripts to accept submissions from nepenthes and dionaea honeypots
* **clamav_to_yara.py**: Convert ClamAV antivirus signatures to YARA rules
* **peid_to_yara.py**: Convert PEiD packer signatures to YARA rules
* **av_multiscan.py**: Script to implement your own antivirus multi-scanner
* **pescanner.py**: Detect malicious PE file attributes
* **ssdeep_procs.py**: Detect self-mutating code on live Windows systems using ssdeep
* **avsubmit.py**: Command-line interface to VirusTotal, ThreatExpert, Jotti, and NoVirusThanks
* **dbmgr.py**: Malware artifacts database manager
* **artifactscanner.py**: Application to scan live Windows systems for artifacts (files, Registry keys, mutexes) left by malware
* **mapper.py**: Create static PNG images of IP addresses plotted on a map using GeoIP
* **googlegeoip.py**: Create dynamic/interactive geographical maps of IP addresses using Google charts
*** sc_distorm.py**: Script to produce disassemblies (via DiStorm) of shellcode and optionally apply an XOR mask
* **vmauto.py**: Python class for automating malware execution in VirtualBox and VMware guests
* **mybox.py**: Sample automation script for VirtualBox based on vmauto.py
* **myvmware.py**: Sample automation script for VMware based on vmauto.py
* **analysis.py**: Python class for building sandboxes with support for analyzing network traffic, packet captures, and memory
* **RegFsNotify.exe**: Tool to detect changes to the Registry and file system in real time (from user mode without API hooks)
* **HandleDiff.exe**: Tool to detect changes to the handle tables of all processes on a system (useful to analyze the side-effects of code injecting malware)
* **Preservation.zip**: Kernel driver for monitoring notification routines, preventing processes from terminating, preventing files from being deleted, and preventing other drivers from loading
* **cmd.exe**: Custom command shell (cmd.exe) for logging malware activity and backdoor activity
* **tsk-xview.exe**: Cross-view based rootkit detection tool based on The Sleuth Kit API and Microsoft’s Offline Registry API
* **HTMLInjection Detector.exe**: Detect HTML injection attacks on banking and financial websites
* **routes.pl**: RegRipper plug-in for printing a computer’s routing table
* **pendingdelete.pl**: RegRipper plug-in for printing files that are pending deletion
* **disallowrun.pl**: RegRipper plug-in for printing processes that malware prevents from running
* **shellexecutehooks.pl**: RegRipper plug-in for printing ShellExecute hooks (a method of DLL injection)
* **dumpcerts.pl**: Parse::Win32Registry module to extract and examine cryptography certificates stored in Registry hives
* **somethingelse.pl**: Parse::Win32Registry module for finding hidden binary data in the Registry
* **scloader.exe**: Executable wrapper for launching shell code in a debugger
*** scd.py**: Immunity Debugger PyCommand for finding shellcode in arbitrary binary files
* **findhooks.py**: Immunity Debugger PyCommand for finding Inline-style user mode API hooks
* **pymon.py**: WinAppDbg plug-in for monitoring API calls, alerting on suspicious flags/parameters and producing an HTML report
* **xortools.py**: Python library for encoding/decoding XOR, including brute force methods and automated YARA signature generation
* **trickimprec.py**: Immunity Debugger PyCommand for assistance when rebuilding import tables with Import REconstructor
* **kraken.py**: Immunity Debugger PyCommand for cracking Kraken’s Domain Generation Algorithm (DGA)
* **sbstrings.py**: Immunity Debugger PyCommand for decrypting Silent Banker strings
* **rundll32ex.exe**: Extended version of rundll32.exe that allows you to run DLLs in other processes, call exported functions, and pass parameters
*** install_svc.bat**: Batch script for installing a service DLL (for dynamic analysis of the DLL)
* **install_svc.py**: Python script for installing a service DLL and supplying optional arguments to the service
* **dll2exe.py**: Python script for converting a DLL into a standalone executable
* **DriverEntryFinder**: Kernel driver to find the correct address in kernel memory to set breakpoints for catching new drivers as they load
* **windbg_to_ida.py**: Python script to convert WinDbg output into data that can be imported into IDA
* **WinDbgNotify.txt**: WinDbg script for identifying malicious notification routines
Espero les agrade y sigamos metiendonos mas en este mundito del malware.
Regards,
Snifer